Birth of the Verbal Hack?

Microsoft Corp. said Wednesday that a voice-recognition feature built into Vista -- the new version of Windows that went on sale this week -- could be exploited remotely to delete files on a victim's machine if he or she visited a Web site that tried to issue specific commands through the computer's audio system.

Online computer security forums were abuzz this week with discussions of ways to exploit the new feature. In the DailyDave online security newsgroup, one commenter described a successful test in which he managed to delete his entire "My Documents" folder using the voice command feature. An attack recorded as an audio file and automatically played when a user visits a malicious Web site could have the same effect, security experts said.

Microsoft noted that the voice-recognition feature is not turned on by default in Vista, and that such an attack would be extremely difficult to execute.

In a posting on its security Web site, Microsoft said a targeted system "would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as 'copy,' 'delete,' 'shutdown,' etc. and acting on them. Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation."

While Microsoft said the feature could be exploited to delete a victim's documents, it pointed out that a key component of security on Vista -- the "user account control" (UAC) feature that requires a user to enter his or her password before making any significant changes to the system -- would prevent an attacker from, installing software or creating new user accounts on the victim's PC.

Rich Mogull, a security analyst with Gartner Inc., said he doubts that many users will bother to configure and run the voice command feature in Vista, and even for those who do the real threat of falling victim to such an attack would be fairly low.

Still, Mogull said, "if they are running it, and someone can get the right kind of file to play when no one is looking, yep- you could do nasty stuff."

My personal favorite perspective on this comes from the venerable security guru Dan Geer, who offered the following challenge on the DailyDave list:

"Here's $500 for the first documented case of someone using the white courtesy phone in an airport to page Mr Shootdown, Reese Sett, Sleep Now, or whatever and blanking all the laptops in a concourse. An extra $500 if it's DC National..."

How good IS the Vista sound recognition though? Are we talking about Star trek good?

"Computer, stop telling my what to do!"

Or

Are we talking about like when I'm trying to voice dial with my cell phone and end up getting frustrated about having to say "Call mom" about 10 times before it finally gets Call "BOB" and i have to say NO and it starts all over again. Or even worse if it accepts Go as an answer instead of only NO then I now have a confused best friend wondering why i am calling him Mom.

"Gotta love Microsoft's defense -- "this attack will only work if you're actually -using- the super-duper cool features that we put into the OS to try to con you into buying it...""

So the FUD begins.

If you have an understanding of what has to be done for this to work, then you would also understand that it is more likely that you will be bitten by a spider and become Spiderman.

Cynics, like Joe, do nothing but spread their dislike for Microsoft. When, in fact, the blame should be, most often, on the third party driver and software manufacturer and the user.

Yes, as it turns out, no matter how secure an operating system is made, the hole that can not be patched is the user.

The are so many steps that must be in just the right place at just the right time for this to work, that I'm sure we will never hear of a documented occurrence of it really happening.

So, this is FUD.

Since 95.9% of computer users world wide are using some form of Windows (see Forbes reference here http://www.itfacts.biz/index.php?id=P8018), don't you think it is better to help educate them on the proper use and protection of their system then copping out by blaming Microsoft for everything?

I just got Vista Ultimate installed on a Macbook Pro using VMware Fusion, and it works fine, albeit not as fast as I'd like. Overall, I'm impressed with the accuracy and ease of use with Vista's speech recognition software. It even catches commands and dictation very well using the Macbook's built-in mic, which surprised me. I will be dictating a blog post tomorrow, so I'll probably have a fuller review of the functionality then.

Agreed with Jon.
I suppose it is possible I could get drunk, fall asleep on my house key, leave an imprint in my face that is later copied in wax by an evil henchmen and therefore owning keys is a security threat to my house.

duh.....

This should not be classed as a security threat but rather a stupidity threat.

My understanding is that what is needed is VR configured, speaker and mic on. Then a malicous website plays an appropriately malicious audio command that's executed. For optimal effect, a delayed pop-under would be best so that there's a better chance the user's gone when it executes.

This exploit requires that the user be running VR and have speakers and a mic enabled. But if a user is using VR, wouldn't it stand to reason that they WOULD leave their mic and speakers enabled for convenience?

Talk about absurd. This is like saying - "oh Vista has a security hole in it because if you leave you machine running when you go to take a leak, someone can walk by and do malicious things to your desktop." Duh!

I thought that when you set up the voice recognition software, it took about 20 minutes to "learn" the way you speak.

The one guy who did manage to do this obviously was using his own voice, and im guessing that he also "taught" the computer with that voice. So yeah, it would be possible to do it to yourself, on your own computer.

However, i am from scotland, i have an accent that few of you in Yankville would understand, let alone be able to copy accurately enough to get my computer to think you are me.

Im sure the same thing exists in america too, people from washington dont sound like people from alabama.

It seems to me like the only security threat posed here is if you have your voice stolen.

@ Mike:
>>Cynics, like Joe, do nothing but spread their dislike for Microsoft.

"The power of accurate observation is commonly called cynicism by those who have not got it." -- George Bernard Shaw

I will, however, give Microsoft credit for not in fact enabling this function in Vista by default. Phew, one bright spot. Maybe some in Microsoft's management are starting to 'get' that "default-disable" of "functionality" is the way to go? Maybe they learned from the experience of speech recognition being enabled by default on XP RTM?http://www.softwaretipsandtricks.com/forum/windows-xp/35-typing-delay-xp.html

Until everyone realizes security flaws are bad, your all gonna continue to come to microsoft's defence, which means you all will have computers that are not secure.

What standards do you people want, expensive unsecure computers? Bill claims he spent 6 billion dollars on the goes on to claim Vista as the most secure system, while the NSA provides their involvement, and you get voice activated hacking...

You people are sitting in a pot of boiling water and don't know when to leap out...

Vista is about DRM, taking awa your rights, and it appears most of you don't even care about liberty, rights and freedom.

Here's a suggestion, what would happen is intellectual property rights was to be removed, allowing everyone to share the benefits in society so nobody would be left out, disadvantaged...

Maybe then we wouldn't have capitalism, no more corporate greed, lawsuits and hungry people...

Yes indeed, what kind of world would we have then, we everyone no longer works for money, too!

Hard to imagine when your stuck on owning the world's wealth, that is less than 1% of the rich owning 40% of the world's wealth....

You've all forgotten who the speech features were designed for: People with physical impairments that keep them from using a keyboard; I know several such folk. The lack of this support built into the OS has been a sore point for people with disabilities.

Third-party speech recognition software has been available for a LONG time; I believe it's even available for OSX.

There is a very old post about the hazards of speech recognition on the COMP-RISKS digest, so the problem posted isn't new at all.

Not sure if this is the right place to post this, but here is the story of my dog called Shandy.
He was my favourite pet and he was very lively, lots of fun and very obedient. His main
passion in life was to be taken for a long walk, culminating with a big run out in his favourite
park. I would try to take him on this walk everyday, weather permitting. The park itself
was about three miles away from our house. What do you think?

Wow, I've found the same to be true too!Â Where did you get that at? Â

See you soon! WonderGirlÂ

[url=http://paid-for-taking-surveyspbsfilzj.blogspot.com]how I make money with paid surveys[/url]

Blaming Microsoft IS A HUGE COP-OUT. I can't even believe that something this stupid is even being considered a security threat. It should be in there with knocking people out before they get a chance to lock their computer.
Most of these "security threats" are obscure events that rely on the user making some kind of stupid mistake, but Microsoft still deals with it by releasing security updates to try and baby people more and more through the use of their computer.
STOP BLAMING MICROSOFT AND LEARN HOW TO USE YOUR COMPUTER!